Re: DNA Center / ESX Servers Inside Fabric?

ronhunt14 · ‎10-17-2019

We are beginning our DNA Center adventure and we have a couple of questions.

1) Can the DNA Center, ISE Servers and DHCP be installed inside the fabric? Or they 100% have to be installed outside the border?

2) Our ESX servers in our current networks use trunk links to connect on different IP subnets depending on the server. Is there a similar way to do this inside the fabric? I don't see any way to create trunks. The only way I see to do is an access port and then DNA assigns the servers to a pool based on authentication (802.1x or MAB).

Thanks!!

Pavan Siripuram · ‎10-18-2019

Usually They have to be outside of fabric , as for few services it needs both the underlay and overlay access(shared services) which can be possible if they are outside of fabric , But thats said i would recommend you to get an advise for design review from cisco experts on this , your accounts team can help in this case to get a design review.

battyjohn · ‎10-29-2019

The recommendation if you follow the prescriptive design idea to host it all outside of the fabric.

It is possible to manually host elements in the fabric but you would need to do a few things:

Assuming you use a dedicated VN for hosting ise and dhcp on you would need to leak routes on the fusion device to enable other VNs to use them.

I've not tried a trunk link to a host yet, I'm sure you can do it manually but both this and ise are all chicken before egg as DNA center needs an ise integration before you manage and provision switches, and to trunk the right VLANs you'd need to deploy the VNs first in the fabric, then work out what got assigned subnet wise to what plan manually on the switch to reconfigure an access port.

Definitely host them externally to the fabric if you can. Otherwise I suspect you will create trouble for yourself longer term.

Mike.Cifelli · ‎10-29-2019

I can answer this one: 2) Our ESX servers in our current networks use trunk links to connect on different IP subnets depending on the server. Is there a similar way to do this inside the fabric? I don't see any way to create trunks. The only way I see to do is an access port and then DNA assigns the servers to a pool based on authentication (802.1x or MAB).
Using DNAC you can provision your NAD interfaces as a 'server' type interface. This will provision the port as a trunk link inside the fabric. As of DNAC 1.2.12 the basic configuration for a 'server' interface looks like this:
interface GigabitEthernet1/0/24
switchport mode trunk
device-tracking attach-policy IPDT_TRUNK_POLICY
no macro auto processing
end
Just be aware that all vlans are allowed. I would recommend relying on templates to tweak your trunk configs as you wish to make them more secure, etc.
As for this: 1) Can the DNA Center, ISE Servers and DHCP be installed inside the fabric? Or they 100% have to be installed outside the border?
I think this comes down to a design and requirement decision. For my SDA deployment I have DNAC and ISE hanging directly off the fabric, and other data center services in a legacy server stack where I push CTS via static mappings and enforce accordingly.
Good luck & HTH!

anthony.wild · ‎01-20-2020

I think this is most useful and applicable at the Branch, where you have latency sensitive applications hosted directly on premise (think Engineering/SCADA w/Motion Control). There are some dated deployment guides that talk about having servers hanging off on a Shared Services block, but if I have a "Fabric in a Box" on a 9400 or similar, it kind of seems wasteful to allocate additional switching "just because" when I have a pretty powerful and flexible Core Switch sitting just a rack over. For the template mention that Mike went through... I wish the ACI guys talked to the DNA/SDA folks and they had something like "AAEPs".

Thank's Mike for the "How To"!